diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-06-24 12:10:12 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-06-25 14:09:16 +0200 |
commit | b3bf490434c78b565c369064f371788eaecace35 (patch) | |
tree | 6fd02ca4be366d9b23b7b1eac362cb5ea70b1d0e | |
parent | driver: specify pnplockdown in inf (diff) | |
download | wintun-b3bf490434c78b565c369064f371788eaecace35.tar.xz wintun-b3bf490434c78b565c369064f371788eaecace35.zip |
driver: allow admins but require high integrity label
Might be more reasonable.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | driver/driver.vcxproj | 2 | ||||
-rw-r--r-- | driver/undocumented.h | 20 | ||||
-rw-r--r-- | driver/wintun.c | 56 |
3 files changed, 70 insertions, 8 deletions
diff --git a/driver/driver.vcxproj b/driver/driver.vcxproj index 4457db2..915326e 100644 --- a/driver/driver.vcxproj +++ b/driver/driver.vcxproj @@ -96,7 +96,7 @@ <PreprocessorDefinitions>NDIS_MINIPORT_DRIVER=1;NDIS620_MINIPORT=1;NDIS683_MINIPORT=1;NDIS_WDM=1;%(PreprocessorDefinitions)</PreprocessorDefinitions> </ResourceCompile> <Link> - <AdditionalDependencies>ndis.lib;wdmsec.lib;%(AdditionalDependencies)</AdditionalDependencies> + <AdditionalDependencies>ndis.lib;wdmsec.lib;ksecdd.lib;%(AdditionalDependencies)</AdditionalDependencies> </Link> <DriverSign> <FileDigestAlgorithm>sha256</FileDigestAlgorithm> diff --git a/driver/undocumented.h b/driver/undocumented.h index 199e3c7..7f538b7 100644 --- a/driver/undocumented.h +++ b/driver/undocumented.h @@ -44,3 +44,23 @@ NTSYSAPI NTSTATUS NTAPI ZwYieldExecution(VOID); + +NTSYSAPI +NTSTATUS +NTAPI +RtlSetSaclSecurityDescriptor( + _In_ PSECURITY_DESCRIPTOR SecurityDescriptor, + _In_ BOOLEAN SaclPresent, + _In_opt_ PACL Sacl, + _In_opt_ BOOLEAN SaclDefaulted); + +NTSYSAPI +NTSTATUS +NTAPI +RtlAddMandatoryAce( + _Inout_ PACL Acl, + _In_ ULONG AceRevision, + _In_ ULONG AceFlags, + _In_ PSID Sid, + _In_ UCHAR AceType, + _In_ ULONG AccessMask); diff --git a/driver/wintun.c b/driver/wintun.c index 9d87005..d7e3ef4 100644 --- a/driver/wintun.c +++ b/driver/wintun.c @@ -845,28 +845,70 @@ _Use_decl_annotations_ static NTSTATUS TunInitializeDispatchSecurityDescriptor(VOID) { NTSTATUS Status; - SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY; - SID LocalSystem = { 0 }; - if (!NT_SUCCESS(Status = RtlInitializeSid(&LocalSystem, &NtAuthority, 1))) + struct + { + SID Sid; + } LocalSystem; + struct + { + SID Sid; + ULONG ExtraAuthority; + } BuiltinAdministrators; + struct + { + SID Sid; + } HighLabel; + ULONG SidSize = sizeof(LocalSystem); + if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinLocalSystemSid, &LocalSystem.Sid, SidSize, &SidSize))) + return Status; + SidSize = sizeof(BuiltinAdministrators); + if (!NT_SUCCESS( + Status = SecLookupWellKnownSid(WinBuiltinAdministratorsSid, &BuiltinAdministrators.Sid, SidSize, &SidSize))) + return Status; + SidSize = sizeof(HighLabel); + if (!NT_SUCCESS(Status = SecLookupWellKnownSid(WinHighLabelSid, &HighLabel.Sid, SidSize, &SidSize))) return Status; - *RtlSubAuthoritySid(&LocalSystem, 0) = SECURITY_LOCAL_SYSTEM_RID; struct { ACL Dacl; - ACCESS_ALLOWED_ACE AceFiller; - SID SidFiller; + ACCESS_ALLOWED_ACE Ace1; + SID Sid1; + ACCESS_ALLOWED_ACE Ace2; + SID Sid2; } DaclStorage = { 0 }; + struct + { + ACL Sacl; + SYSTEM_MANDATORY_LABEL_ACE Ace; + SID Sid; + } SaclStorage = { 0 }; if (!NT_SUCCESS(Status = RtlCreateAcl(&DaclStorage.Dacl, sizeof(DaclStorage), ACL_REVISION))) return Status; + if (!NT_SUCCESS(Status = RtlCreateAcl(&SaclStorage.Sacl, sizeof(SaclStorage), ACL_REVISION))) + return Status; ACCESS_MASK AccessMask = GENERIC_ALL; RtlMapGenericMask(&AccessMask, IoGetFileObjectGenericMapping()); - if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem))) + if (!NT_SUCCESS(Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &LocalSystem.Sid))) + return Status; + if (!NT_SUCCESS( + Status = RtlAddAccessAllowedAce(&DaclStorage.Dacl, ACL_REVISION, AccessMask, &BuiltinAdministrators.Sid))) + return Status; + if (!NT_SUCCESS(RtlAddMandatoryAce( + &SaclStorage.Sacl, + ACL_REVISION, + 0, + &HighLabel.Sid, + SYSTEM_MANDATORY_LABEL_ACE_TYPE, + SYSTEM_MANDATORY_LABEL_NO_READ_UP | SYSTEM_MANDATORY_LABEL_NO_WRITE_UP | + SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP))) return Status; SECURITY_DESCRIPTOR SecurityDescriptor = { 0 }; if (!NT_SUCCESS(Status = RtlCreateSecurityDescriptor(&SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))) return Status; if (!NT_SUCCESS(Status = RtlSetDaclSecurityDescriptor(&SecurityDescriptor, TRUE, &DaclStorage.Dacl, FALSE))) return Status; + if (!NT_SUCCESS(Status = RtlSetSaclSecurityDescriptor(&SecurityDescriptor, TRUE, &SaclStorage.Sacl, FALSE))) + return Status; SecurityDescriptor.Control |= SE_DACL_PROTECTED; ULONG RequiredBytes = 0; Status = RtlAbsoluteToSelfRelativeSD(&SecurityDescriptor, NULL, &RequiredBytes); |